#xss

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Walter Pinem OneClick Chat to Order plugin <= 1.0.4.2 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFactory Products, Order & Customers Export for WooCommerce plugin <= 2.0.7 versions.

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability on 302 response page in spider-themes EazyDocs plugin <= 2.3.3 versions.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in wpdevart Countdown and CountUp, WooCommerce Sales Timer plugin <= 1.8.2 versions.

Unauth. Stored Cross-Site Scripting (XSS) vulnerability in Atarim Visual Website Collaboration, Feedback & Project Management – Atarim plugin <= 3.12 versions.

> ### CVSS: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RL:O/RC:C` (4.4) ### Problem DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of [`typo3/html-sanitizer`](https://packagist.org/packages/typo3/html-sanitizer). ### Solution Update to `typo3/html-sanitizer` versions 1.5.3 or 2.1.4 that fix the problem described. ### Credits Thanks to Yaniv Nizry and Niels Dossche who reported this issue, and to TYPO3 core & security team member Oliver Hader who fixed the issue. ### References * [TYPO3-CORE-SA-2023-007](https://typo3.org/security/advisory/typo3-core-sa-2023-007) * [Disclosure & PoC](https://github.com/TYPO3/html-sanitizer/security/advisories/GHSA-652v-xw37-rvw7) (embargoed +90 days)

TYPO3 is an open source PHP based web content management system released under the GNU GPL. In affected versions DOM processing instructions are not handled correctly. This allows bypassing the cross-site scripting mechanism of typo3/html-sanitizer. This vulnerability has been addressed in versions 1.5.3 and 2.1.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Cross-Site Request Forgery (CSRF) vulnerability in RedNao Donations Made Easy – Smart Donations allows Stored XSS.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in DenK BV Actueel Financieel Nieuws – Denk Internet Solutions plugin <= 5.1.0 versions.

Auth. (Shop Manager+) Stored Cross-Site Scripting (XSS) vulnerability in CedCommerce Recently viewed and most viewed products plugin <= 1.1.1 versions.